Jochen, I picked the patterns from Logstash package
(logstash-5.0.0\vendor\bundle\jruby\1.9\gems\logstash-patterns-core-4.0.2\patterns\firewalls)
and saved them into a plain text file: ASAPatterns.grok
The content is as follows:
#== Cisco ASA ==
CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}(
%{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
# Common Particles
CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied
by ACL|discarded|est-allowed|Dropping|created|deleted
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid
transport field|No matching connection|DNS Response|DNS
Query|(?:%{WORD}\s*)*
CISCO_DIRECTION Inbound|inbound|Outbound|outbound
CISCO_INTERVAL first hit|%{INT}-second interval
CISCO_XLATE_TYPE static|dynamic
# ASA-1-104001
CISCOFW104001 \((?:Primary|Secondary)\) Switching to ACTIVE -
%{GREEDYDATA:switch_reason}
# ASA-1-104002
CISCOFW104002 \((?:Primary|Secondary)\) Switching to STANDBY -
%{GREEDYDATA:switch_reason}
# ASA-1-104003
CISCOFW104003 \((?:Primary|Secondary)\) Switching to FAILED\.
# ASA-1-104004
CISCOFW104004 \((?:Primary|Secondary)\) Switching to OK\.
# ASA-1-105003
CISCOFW105003 \((?:Primary|Secondary)\) Monitoring on [Ii]nterface
%{GREEDYDATA:interface_name} waiting
# ASA-1-105004
CISCOFW105004 \((?:Primary|Secondary)\) Monitoring on [Ii]nterface
%{GREEDYDATA:interface_name} normal
# ASA-1-105005
CISCOFW105005 \((?:Primary|Secondary)\) Lost Failover communications with
mate on [Ii]nterface %{GREEDYDATA:interface_name}
# ASA-1-105008
CISCOFW105008 \((?:Primary|Secondary)\) Testing [Ii]nterface
%{GREEDYDATA:interface_name}
# ASA-1-105009
CISCOFW105009 \((?:Primary|Secondary)\) Testing on [Ii]nterface
%{GREEDYDATA:interface_name} (?:Passed|Failed)
# ASA-2-106001
CISCOFW106001 %{CISCO_DIRECTION:direction} %{WORD:protocol} connection
%{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to
%{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface
%{GREEDYDATA:interface}
# ASA-2-106006, ASA-2-106007, ASA-2-106010
CISCOFW106006_106007_106010 %{CISCO_ACTION:action}
%{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src)
%{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? (?:to|dst)
%{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_fwuser}\))? (?:on interface
%{DATA:interface}|due to %{CISCO_REASON:reason})
# ASA-3-106014
CISCOFW106014 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction}
%{WORD:protocol} src
%{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_fwuser}\))? dst
%{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_fwuser}\))? \(type
%{INT:icmp_type}, code %{INT:icmp_code}\)
# ASA-6-106015
CISCOFW106015 %{CISCO_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\)
from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags
%{DATA:tcp_flags} on interface %{GREEDYDATA:interface}
# ASA-1-106021
CISCOFW106021 %{CISCO_ACTION:action} %{WORD:protocol} reverse path check
from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}
# ASA-4-106023
CISCOFW106023 %{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src
%{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))?
dst
%{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_fwuser}\))?(
\(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group
"?%{DATA:policy_id}"? \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
# ASA-4-106100, ASA-4-106102, ASA-4-106103
CISCOFW106100_2_3 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action}
%{WORD:protocol} for user '%{DATA:src_fwuser}'
%{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\) ->
%{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\) hit-cnt
%{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1},
%{DATA:hashcode2}\]
# ASA-5-106100
CISCOFW106100 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action}
%{WORD:protocol}
%{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_fwuser}\))?
->
%{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:src_fwuser}\))?
hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1},
%{DATA:hashcode2}\]
# ASA-6-110002
CISCOFW110002 %{CISCO_REASON:reason} for %{WORD:protocol} from
%{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to
%{IP:dst_ip}/%{INT:dst_port}
# ASA-6-302010
CISCOFW302010 %{INT:connection_count} in use, %{INT:connection_count_max}
most used
# ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?:
%{CISCO_DIRECTION:direction})? %{WORD:protocol} connection
%{INT:connection_id} for
%{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}(
\(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))?
to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}(
\(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?(
\(%{DATA:user}\))?
# ASA-6-302020, ASA-6-302021
CISCOFW302020_302021 %{CISCO_ACTION:action}(?:
%{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr
%{IP:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwuser}\))? gaddr
%{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr
%{IP:src_ip}/%{INT:icmp_code}( \(%{DATA:user}\))?
# ASA-6-305011
CISCOFW305011 %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type}
%{WORD:protocol} translation from
%{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))?
to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}
# ASA-3-313001, ASA-3-313004, ASA-3-313008
CISCOFW313001_313004_313008 %{CISCO_ACTION:action} %{WORD:protocol}
type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface
%{DATA:interface}( to %{IP:dst_ip})?
# ASA-4-313005
CISCOFW313005 %{CISCO_REASON:reason} for %{WORD:protocol} error message:
%{WORD:err_protocol} src
%{DATA:err_src_interface}:%{IP:err_src_ip}(\(%{DATA:err_src_fwuser}\))? dst
%{DATA:err_dst_interface}:%{IP:err_dst_ip}(\(%{DATA:err_dst_fwuser}\))?
\(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on
%{DATA:interface} interface\. Original IP payload: %{WORD:protocol} src
%{IP:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_fwuser}\))? dst
%{IP:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_fwuser}\))?
# ASA-5-321001
CISCOFW321001 Resource '%{WORD:resource_name}' limit of
%{POSINT:resource_limit} reached for system
# ASA-4-402117
CISCOFW402117 %{WORD:protocol}: Received a non-IPSec packet \(protocol=
%{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip}
# ASA-4-402119
CISCOFW402119 %{WORD:protocol}: Received an %{WORD:orig_protocol} packet
\(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\) from %{IP:src_ip}
\(user= %{DATA:user}\) to %{IP:dst_ip} that failed anti-replay checking
# ASA-4-419001
CISCOFW419001 %{CISCO_ACTION:action} %{WORD:protocol} packet from
%{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to
%{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason:
%{GREEDYDATA:reason}
# ASA-4-419002
CISCOFW419002 %{CISCO_REASON:reason} from
%{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to
%{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial
sequence number
# ASA-4-500004
CISCOFW500004 %{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from
%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
# ASA-6-602303, ASA-6-602304
CISCOFW602303_602304 %{WORD:protocol}: An %{CISCO_DIRECTION:direction}
%{GREEDYDATA:tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and
%{IP:dst_ip} \(user= %{DATA:user}\) has been %{CISCO_ACTION:action}
# ASA-7-710001, ASA-7-710002, ASA-7-710003, ASA-7-710005, ASA-7-710006
CISCOFW710001_710002_710003_710005_710006 %{WORD:protocol}
(?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port}
to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}
# ASA-6-713172
CISCOFW713172 Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT
Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT
device\s+This\s+end\s*%{DATA:is_local_natted}\s*behind a NAT device
# ASA-4-733100
CISCOFW733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id}
exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second,
max configured rate is %{INT:drop_rate_max_burst}; Current average rate is
%{INT:drop_rate_current_avg} per second, max configured rate is
%{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}
#== End Cisco ASA ==
On Friday, October 28, 2016 at 9:17:39 AM UTC-4, Jochen Schalanda wrote:
>
> Hi,
>
> where did you download the Content Pack or the Grok patterns from and how
> do they look like (please attach the file)?
>
> Cheers,
> Jochen
>
> On Friday, 28 October 2016 15:07:16 UTC+2, Greg Vasilyev wrote:
>>
>> Folks, I use the latest Graylog OVA that has been patched and has
>> extended storage.
>>
>> I am trying to import GROK patterns for Cisco ASA. The import process
>> succeeds, but the new patterns don't show up. There are no error messages
>> in any of the current logs under /var/log/graylog/.
>>
>> Any help would be appreciated. Thanks.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/c4e7998e-3c0d-4742-8041-9619eeacdc51%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
